Security Adoption in Heterogeneous Networks: the Influence of Cyber-insurance Market

Transcription

1 Security Adoption in Heterogeneous Networks: the Influence of Cyber-insurance Market Zichao Yang and John C.S. Lui The Chinese University of Hong Kong Abstract. Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the availability of anti-virus software, investment in security protection is still scare, and hence epidemic risk is still prevalent. Deciding whether to invest in security protection is an interdependent process: security investment decision made by one node can affect the security risk of others, and therefore affect their decisions also. The first contribution of this paper is to provide a fundamental understanding on how network externality effect with nodes heterogeneity may affect security adoption. We characterize it as a Bayesian network game in which nodes only have the local information, e.g., the number of neighbors, as well as minimum common information, e.g., degree distribution of the network. Our second contribution is in analyzing a new form of risk management called cyber-insurance. We investigate how the presence of competitive insurance market can affect the security adoption. Keywords: heterogeneous network, security adoption, cyber-insurance, Bayesian network game 1 Introduction Network security is a major problem in communication networks. One of its most common manifestations is in form of virus, worms and bonnet spreading, which we call the epidemic risk. Epidemic risk is highly damaging, e.g., the Code Red worm [21] has infected thousands of computers and induced huge financial loss. To counter this risk, there have been great efforts in both the research and industrial fronts to come up with techniques and tools (i.e., anti-virus software, intrusion detection systems, firewalls etc) to detect virus/worms. Despite the sophistication of these tools, only a small percentage of hosts adopt some form of security protection, making epidemic risk still prevalent. A node s decision on adopting some security measures is not a simple individual and independent process, but rather, depends on the decisions of many other nodes in the network. Nodes which decide not to invest in security protection, also put other nodes at security risk. This network externality effect caused by the spreading of epidemic influences the degree of adoption of security measure. Our first contribution in this paper is to provide a theoretical understanding on

2 2 Z. Yang, J. C.S. Lui how network externality effect with node heterogeneity may influence security adoption in a network of interconnected nodes (i.e., the Internet). Modeling such decision and security problem requires the combination of epidemic theory and game theory. While extensive studies in traditional literatures have been dedicated to epidemic theory [22], few works have addressed the problems of strategic behavior of security investment. In a realistic situation, nodes which make decision in security investment usually do not have complete information like the network topology or knowledge of other nodes. In this paper, we model the security investment as a Bayesian network game where nodes only have the local information of their degree, as well as the minimum common information of network s degree distribution. In contrast to graphical game [23], in which complete topology is given and analysis is complicated, we show that using Bayesian network game, one can elegantly tradeoff using partial topology information while making the analysis tractable. We show how heterogeneous nodes, characterized by their degree, can estimate their epidemic risk and make decisions on security investment with incomplete information. We show that nodes with higher degree are more likely to be infected by epidemic, making the secure measure less effective for them in terms of the reduction in infection probability. Moreover, nodes with higher degrees are more sensitive to externality effect. While protection measures may limit the spread of virus/worms, another way to manage the epidemic risk is to transfer the risk to a third-party, which is called cyber-insurance [13]: nodes pay certain premium to insurance companies in return for compensation in the virus outbreaks. One main challenge in cyber-insurance is moral hazard [11, 13]. The combination of self-protection and insurance raises the problem of moral hazard, in which nodes covered by insurance may take fewer secure measures. Moral hazard happens when the insurance provider cannot observe the protection level of nodes. In this paper, we investigate the effect of cyber-insurance on security adoption under competitive insurance market without moral hazard 1. Our second contribution is to show the conditions under which cyber-insurance is an incentive for security adoption. We find that cyber-insurance is an incentive for security adoption if the initial secure condition is poor and the quality of secure measure is not very high. This is the outline of our paper. In Section 2, we present the epidemic and security investment models. In Section 3, we show how heterogeneous nodes can determine their infection probability and decide on proper security investment. In Section 4, we investigate the effect of insurance market without moral hazard on security adoption. Validations and performance evaluations are presented in Section 5. Section 6 gives related work and Section 7 concludes. 2 Mathematical Models Our models include: (a) epidemic model: to characterize the spread of virus or malware in a network, (b) investment model: to characterize node s decision in 1 We refer the readers to [27] for the analysis of the case with moral hazard.

3 Security Adoption in Heterogeneous Networks 3 security investment, and (c) Bayesian network game: how nodes make decision under the incomplete information setting. Epidemic Model: The interaction relation of N nodes is denoted by the undirected graph G =(V, E) with the vertex set V, V = N and the edge set E. For i, j V, if (i, j) E, then nodes i and j are neighbors and we use i j to denote this relationship. Let S = {healthy, infected} represent the set of states each node can be in. If node i is infected (healthy), then S i = 1 (S i = 0). Each infected node can contaminate its neighbors independently with probability q. Note that this is similar to the bond percolation process [22] in which every edge is occupied with probability q. Each node has an initial state of being infected or not. This can represent whether the node has been attacked by the adversary. Let us denote it by s i where s i = 1 if node i is initially infected and s i =0 otherwise. Hence, at the steady state, a node is infected either because it is initially attacked, or it contracts virus from its infected neighboring nodes. The final state of node i can be expressed in the following recursive equation: 1 S i = (1 s i ) j:j i (1 θ jis j ) i V, (1) where θ ji is a random variable indicating whether the edge (i, j) is occupied or not. Since the infection will incur some financial loss, a node needs to decide whether to invest in self-protection to reduce the potential financial loss. In the following, we present a model which a node can use to make the decision. Investment Model: Let s say that node i has an initial wealth w i R +.A node s utility u i (w) is a function of wealth w R +. We consider nodes are risk averse, i.e., the utility function is strictly increasing and concave in w, i.e., u i (w) > 0 and u i (w) < 0. In this paper, we consider the constant relative risk averse utility function commonly used in the literature [4]: u(w) =w 1 σ /(1 σ), for 0 < σ < 1, where σ is a parameter for the degree of risk aversion. The utility function of node i is given by the above utility function with parameter σ i. If node i is infected, then it will incur a financial loss of l i R +. To reduce the potential financial loss, a node can consider adopting some self-protection measures or purchasing insurance. In the first part of this paper, we consider the case of self-protection. In the second part of this paper, we consider both cases and study the influence of insurance market on security protection. A node s investment in self-protection can reduce the probability of being infected initially. For the amount of investment x, the probability of being infected initially is denoted as p(x), which is a continuous differentiable decreasing function of x. In particular, we assumed the effort of security investment is separable with the wealth, which is common in the literature [26]. The utility of node i with investment x i in security protection is p i u i (w i l i ) + (1 p i )u i (w i ) x i, (2) where p i is the final probability that node i will be infected. p i contains two parts: the probability of being infected initially, given by p(x i ) and the probability of getting infected from neighbor nodes. For simplicity of analysis, we assume that

4 4 Z. Yang, J. C.S. Lui the choice of node i regarding security self-protection is a binary decision: either the node invests unit amount with a cost of c i, or it does not invest at all. The cost may also include the inconvenience caused by the measure. We use the action set A = {S, N} to denote the behavior, where S denotes taking secure measure and N otherwise. If it decides to invest, the node can still be infected with probability p. Otherwise, it will be infected with probability p +. Obviously we have 0 <p <p + < 1. Let a =(a 1,..., a i,..., a N )= (a i,a i ) be an action profile. Given the action profile a i of other nodes, node i makes the decision by maximizing its expected utility. If node i takes action N, the expected utility is: p i (N,a i )u i (w i l i ) + (1 p i (N,a i ))u i (w i ), where p i (N,a i ) is the final probability of node i being infected when it initially did not adopt security protection. On the other hand, the expected utility of a node without security protection (or action S) is: p i (S,a i )u i (w i l i ) + (1 p i (S,a i ))u i (w i ) c i where p i (S,a i ) is the final probability of a node being infected when it initially subscribed to some self-protection measures with cost c i. Node i will choose to invest in security protection if and only if c i < (p i (N,a i ) p i (S,a i ))(u i (w i ) u i (w i l i )). (3) Bayesian Network Game: According to Inequality (3), each node needs to have the complete information of the network topology G so as to make the proper decision. However, it is almost impossible in practice for each node to have the complete information of G. Instead, each node can only have some local information, i.e., a node may only know its neighbors, and some cases, only knows the number of neighbors it is to interact with. Secondly, it is impossible to know the exact loss of other nodes in a large network. In here, we assume that nodes only have the minimum common information, that is, the knowledge of the degree distribution of G, as well as the distribution of financial loss of nodes caused by virus. In this paper, we consider the asymptotic case that N, the number of nodes, tends to infinity and the degree distribution converges to the fixed probability distribution {p k } K K, where K is the maximum degree and K is the minimum degree. For nodes with degree k, the loss distribution is given by the CDF F k (l). We assume that the cost of secure measure is the same for all nodes which have the same degree, and we denoted this as c k. Furthermore, these nodes have the same utility function u k and the same initial wealth w k. Nodes make decision on security investment based on the information of degree and loss. 3 Analysis for Strategic Security Adoption Determining the final infection probability is a difficult problem because of the complex network structure. In this work, we assume that a node only knows the degree distribution and consider the network topology as a random graph [22] with a given degree distribution {p k } K K. Although real networks are not random graphs [22] and they have some characteristics, e.g., high clustering coefficient,

5 Security Adoption in Heterogeneous Networks 5 community structure etc, that are not possessed by random graph, recent study [19] has shown that random graph approximation is very often accurate for real networks. Thus, it is reasonable to assume that the network topology is a random graph, especially here we consider incomplete information. Estimating the Probability: A node can calculate its final infection probability by constructing a local mean field tree [1]. Fig. 1 illustrates the local tree structure of node i which has degree k. For the ease of presentation, let s say that none of these nodes will take secure measure, i.e., the initial infection probability is p + for all nodes in this subsection. We will show how to relax this later on. i level 0 v 1 v 2... v k level Fig. 1: Local mean field tree for node i with degree k. The children of node i in the local mean field tree are denoted as v c,c [1,k]. The triangle under each child node v c denotes another tree structure. Based on the results in [1], for any node i, the local topology of a large random graph G can be modeled as a tree rooted at node i with high probability. In other words, we transform G to a tree rooted at node i. Node i can be independently influenced by each subtree rooted at v c. For every subtree rooted at v c, it consists of its subtrees. Using this recursive structure, one can derive the total infection probability that other nodes in G can impose on node i. Let us illustrate the derivation. First, we divide nodes into levels. The root node i is at the zero level. The neighbors of node i is at the first level and so on. Let Y j be the final state of node j, j i, conditioned on its parent in the tree structure is not infected, and y j be the initial state of node j. For the root node i, we use S i to denote its final state and s i to denote its initial state, then 1 S i = (1 s i ) j:j i (1 θ jiy j ). (4) The above equation indicates the root node i is either initially infected, or it can be infected by its neighbors. The state of its neighbors conditioned on that the root node i is not infected is also determined by the state of the children of the neighbors in the tree structure, or one can express it recursively as: 1 Y j = (1 y j ) l:l j (1 θ ljy l ) j = i, (5)

6 6 Z. Yang, J. C.S. Lui where l j denotes that l is a child of j in the tree structure. To solve Eq. (5), we need to know the degree distribution of a child node. This degree distribution can be expressed as: p k =, where d is the average degree of nodes kp k K k=k kp k = kp k d in G. The number of edges of a child excluding the edge connecting to its parents is called the excess degree [22]. Let K = max{0,k 1} and K = max{0, K 1}. The excess degree distribution is q k = p k+1 =(k + 1)p k+1 / d, k [K, K ]. As in [1], if nodes are at the same level of the tree structure, their states are independent of each other. Let ρ n,n 1 be the probability that a node at the n th level is infected conditioned on its parent is not infected. By Eq. (5), 1 ρ n = (1 p + ) K k=k q k(1 qρ n+1 ) k. ρ 1 is the average probability that a child node of the root node i will be infected conditioned on the root node is not infected. When we scale up the network (or let n ), define ρ lim n ρ 1, then ρ is determined by the solution of the fixed point equation 1 ρ = (1 p + ) K k=k q k(1 qρ) k. By Eq. (4), for a node with degree k, the infection probability is φ k =1 (1 p + )(1 qρ) k. (6) Security Adoption: In the previous subsection, we show how a node can compute the infection probability with incomplete information. The calculation is based on the assumption that none of the nodes take secure adoption, so that the initially infection probability is p +. In here, we show how to use this infection probability for strategy selection. Let λ k be the fraction of nodes with degree k which take action S. Then by applying the method shown above, we have Proposition 1. If λ k fraction of the nodes with degree k take secure measure, ρ is given by the unique solution of the fixed point equation in [0, 1]: ρ =1 K k=k q k(1 p + + λ k+1 (p + p ))(1 qρ) k. (7) For a node with degree k, if it decides to take secure measure, then by Eq. (6), the infection probability is φ k (S,λ K,..., λ K ) = 1 (1 p )(1 qρ) k. If it does not invest in protection measure, the probability for this node to get infected is φ k (N,λ K,..., λ K )=1 (1 p + )(1 qρ) k. The infection probability reduction for a node with degree k by taking secure measure is φ k (N ) φ k (S) = (p + p )(1 qρ) k. (8) Note that infection probability reduction decreases as degree increases. This implies that higher degree nodes have less incentive to invest in protection measure.

7 Security Adoption in Heterogeneous Networks 7 Corollary 1. ρ, given by the solution of fixed point Eq. (7), has a unique solution in [0, 1], and ρ(λ K,..., λ K ) is a decreasing function of λ k, k [ K, K ]. Sensitivity Analysis: Nodes with different degrees have different sensitivity to the externality effect. Define φ k = φ k (N ) φ k (S) = (p + p )(1 qρ) k. Assume ρ decreases by a small amount ρ, then φ k =(p + p )(1 qρ) k 1 kq ρ, and the relative change is given by φ k φ k = kq ρ (1 qρ), indicating that sensitivity to the network externality effect is proportional to the degree. A node with degree k will invest if and only if the utility with secure measure is higher than that without secure measure, or c k < (p + p )(1 qρ) k (u k (w k ) u k (w k l)). Note that the loss distribution of nodes with degree k is F k (l). Since the infection probability varies with the fraction of security adopters, we consider the self-fulfilling expectations equilibrium [6] in analyzing the final adoption extent. Nodes form a shared expectation that the fraction of the nodes has adopted security measure and if each of them makes decision based on this expectation, then the final fraction is indeed the initial expectation. Let lk be the minimum value that satisfies the above inequality in the equilibrium, then λ k, the fraction of node of degree k taking the secure measure, is given by the equation λ k =1 F k(lk ). Summarizing the previous analysis, we have the following proposition. Proposition 2. Nodes with degree k will take the secure measure if their loss is greater than lk. The final fraction of nodes with degree k that invest in selfprotection is λ k. l k and λ k are solutions of the following fixed point equations: λ k =1 F k (l k), (9) c k =(p + p )(1 qρ ) k (u k (w k ) u k (w k l k)), (10) where ρ is given by the solution of the following equation ρ =1 K k=k q k(1 p + + λ k+1(p + p ))(1 qρ ) k. (11) Corollary 2. Fixed point equations (9) (11) has at least one solution. Corollary 3. The equilibrium points given by fixed point equations (9) (11) are monotone, i.e., if Λ 1 =(λ 1 K,..., λ 1 k,..., λ 1 ) and K Λ 2 =(λ 2 K,..., λ 2 k,..., λ 2 ) are K two equilibrium points, then we have either Λ 1 Λ 2 or Λ 1 Λ 2 and there exists at least one k [K, K] such that λ 1 k λ 2 k. 4 Analysis for Cyber-insurance Market Supply of Insurance: Let s say the insurance provider offers insurance at the price of π < 1. Nodes which buy insurance at the premium of πx from

8 8 Z. Yang, J. C.S. Lui the insurance provider will be compensated X for the loss incurred if they are infected. Given the price π, node will choose to buy the amount of insurance that maximizes its utility. Define φ k (S)(φ k (N )) as the probability that a node with degree k is infected if it subscribes (does not subscribe) to a secure measure. In this paper, we consider cyber-insurance without adverse selection, in which the insurance provider can observe the degree of a node, hence the risk type of a node (high degree indicates high risk level). Thus, in the following, we drop the subscript k where the meaning is clear for general presentation. A node will choose the amount of insurance that maximizes U(π, X)=φu(w l + (1 π)x)+(1 φ)u(w πx) x, (12) where x is the cost of security protection. When a node chooses N (or S), φ becomes φ(n )(or φ(s)), x = 0(or c). Assume the insurance provider is risk neutral, so they only care about the expected wealth. If a node buys X amount of insurance, then the profit of the insurance is (π φ)x. In here, we consider a competitive market so the insurance provider has to offer the insurance at the price π =φ, or the actuarially fair price [7]. Lemma 1. When the insurance is offered at the actuarially fair price, the optimal insurance coverage is a full insurance coverage, i.e., a node will buy insurance amount equal to the loss l. The maximal expected utility is u(w φl) x. Remark: Lemma 1 shows that the expected utility with insurance market is u(w φl) x > φu(w l) + (1 φ)u(w) x. The utility of a node is improved by the insurance market with the fair price. One problem with the combination of insurance and self-protection is moral hazard, which happens when the insurance provider cannot observe the protection level of a node. Insurance coverage may discourage the node to take self-protection measure to prevent the losses from happening. In here, we examine the effect of the insurance market on the self-protection level. In this paper, we consider the case without moral hazard, where the insurance provider can observe the protection level of a node. We refer the reader to [27] for the analysis of the case with moral hazard, where insurance provider does not have any information about the protection level of a node. Without the moral hazard, the insurance provider can discriminate against the nodes with protection measure and those without protection measure. We investigate whether the insurance market will help to incentivize nodes to take secure measure. Security Adoption with Cyber-insurance Market: Because the insurance provider can observe the protection level of a node, the insurance provider will offer insurance price of φ(s) (or φ(n )) for those nodes with (or without) security protection. According to Lemma 1, nodes will buy the full insurance regardless of its protection level. As a result, the expected utility for nodes without protection is u(w φ(n )l) and the expected utility for nodes with protection is u(w φ(s)l) c. Thus, with insurance market, a node will invest in security protection if and only if c < g(l, ρ) u(w φ(s)l) u(w φ(n )l). Here g(l, ρ) is a function of ρ because φ(s) and φ(n ) can be expressed in ρ.

9 Security Adoption in Heterogeneous Networks 9 Lemma 2. g(l, ρ) u(w φ(s)l) u(w φ(n )l) =u(w (1 (1 p )(1 qρ) k )l) u(w (1 (1 p + )(1 qρ) k )l) increases with l, decreases with ρ. Lemma 2 indicates that nodes with higher loss are more likely to invest in security. It also shows that positive network externality still exists even in the presence of insurance market. Incentive Analysis: According to previous analysis, a node will take secure measure if c < c NI (φ(n ) φ(s))(u(w) u(w l)), where c NI is the threshold without insurance market. With insurance market, nodes will take secure measure if and only if c < c I u(w φ(s)l) u(w φ(n )l), where c I denotes the threshold with insurance market. In order for insurance market to be a good incentive for self-protection, we should have c NI <c I, i.e., c I c NI =u(w φ(s)l)+φ(s)(u(w) u(w l)) [u(w φ(n )l)+φ(n )(u(w) u(w l))] > 0. Define r(p) u(w pl) +p(u(w) u(w l)), then the above condition becomes r(φ(s)) >r(φ(n )). Next we investigate under what condition the above inequality will hold. Consider the function r(p), we have the following lemma. Lemma 3. r(p) is a concave function of p and has a unique maximum at p. Proposition 3. If the infection probability without secure measure φ(n ) is greater than p and the quality of self-protection is not too high, i.e., φ(n ) φ(s) is bounded, insurance will be a good incentive for self-protection. Remark: If φ(n ) is smaller than p, cyber-insurance is not a positive incentive for security. If φ(n ) is greater than the p and φ(s) is within the region [φ,φ(n )], where φ be the minimum value such that r(φ )=r(φ(n )), then cyber-insurance is a positive incentive. From the analysis, we can see that insurance will be more likely to be a positive incentive with large φ(n ) and small φ(n ) φ(s). Hence, if the initial secure situation is bad and the protection quality of secure measure is not too high, then insurance market is a positive incentive for self-protection; otherwise, insurance market is a negative incentive. 5 Simulation and Numerical Results Validating Final Infection Probability: We consider a large graph with power-law degree distribution [8]. We want to verify the accuracy of using the mean field on these power law graphs. We use the popular Generalized Linear Preference (GLP) method to generate power law graphs [5]. Parameters were selected so that the power law exponent γ = 3. We generate graphs with 10, 000 nodes and approximately 30, 000 edges. The minimum degree is 3 and the maximum degree is approximately 200. The result is shown in Fig. 2. Initially, every node is infected with the same probability p and every edge is occupied with probability q. We calculate the probability that nodes with certain degree is infected. Fig. 2 shows the simulation verifies the theoretical results.

10 10 Z. Yang, J. C.S. Lui prob p=0.2, q= p=0.2, q=0.1 p=0.1, q=0.1 Theo Sim adoption fraction initial final adoption fraction initial final degree degree degree Fig. 2: Verifying local mean field (a) q =0.05 (b) q =0.10 Fig. 3: Externality effect Security Adoption: In here we investigate how parameters can influence the fraction of adopters with different degrees. We consider a graph G with power law distribution with γ = 3, minimum and maximum degree are 3 and 13. Here maximum degree is set small for the convenience of selecting other parameters without affecting the result in general case. With very large maximum degree, even a small q will make the final infection probability in Eq. (6) very big because of the power relationship. We set σ =0.5 for all nodes. The initial wealth of nodes with degree k is w k = 10 k The loss follows uniform distribution from 0 to half of the initial wealth. The cost of secure measure of all nodes is c = 0.3. Initially, all nodes without (with) secure measure are infected initially with probability p + =0.3 (p =0.2). Having fixed the above parameters, we choose to change q to calculate the fraction of adopters with different degrees because nodes with different degrees are mainly differentiated via the term (1 qρ) k. We show the initial fraction and final fraction of adopters in Fig. 3. Here the initial fraction means that every node assumes that other nodes will not adoption secure measure and makes its decision on this assumption. Final fraction means the fraction given by the minimum equilibrium point in Proposition 2. Due to the positive externality effect, final fraction is greater than initial fraction. We plot them to examine the externality effect. In Fig. 3a and Fig. 3b, we set q to be 0.05 and 0.10 respectively. In Fig. 3a, the adoption fraction increases with degree, in Fig. 3b, the adoption fraction initially increases, then decreases with degree. Comparing the two figures, we see that there is no general rule regarding the fraction of adopters as a function of the degree. It greatly depends on the parameters. However, in both figures the gap between the final fraction and the initial fraction increases with degree, which agrees with our previous result that higher degree nodes are more sensitive to the externality effect. 6 Related Work Recently there has been growing research in the economic of information security [2, 3]. Some models consider the security investment game without incor-

11 Security Adoption in Heterogeneous Networks 11 porating the effect of network topology, i.e., [9, 10, 14]. Others assume that the graph topology is given [12, 20, 24]. [15, 16] are closely related to our work. The network topology is modeled as a Poisson random graph while real networks are with power law distribution. Also, they fail to consider the interaction among those nodes. In contrast, we consider the interaction of nodes by studying a Bayesian network game. Our modeling result provides significant insight on the influence of node heterogeneity on the adoption extent, sensitivity to network externality and cyber-insurance as an incentive. [28] is our previous extended abstract in considering network heterogeneity, which is defined by setting degree thresholds to divide the nodes into classes. Insurance was studied in the economic literature long time ago [7] [25]. But these literatures lack to consider many characteristics specific to computer network, such as the interdependence of security, heterogeneity considered in this work. Cyber-insurance was proposed to manage security risk [18] but is only modeled recently [13,17,26]. A key concern is whether cyber-insurance is an incentive for security adoption. In [17], the authors do not consider the heterogeneity in modeling cyber-insurance. [26] assume the effort on security protection is continuous and do not consider the network topology. 7 Conclusion Modeling strategic behavior in security adoption helps us to understand what are the factors that could result in under investment. In this paper, we show, via a Bayesian network game formulation, how network externality with node heterogeneity can affect security adoption in a large communication network. We also investigate the effect of cyber-insurance on protection level. We establish the conditions under which cyber-insurance is a positive incentive for security adoption. This work provides the fundamental understanding on the economic aspect of security adoption, and sheds light on a new Internet service which is economically viable. References 1. D. Aldous, A. Bandyopadhyay. Survey of max-type recursive distributional equations. The Annals of Applied Prob., 15(2): , R. Anderson. Why information security is hard-an economic perspective. In IEEE Computer Security Applications Conference 01, pages R. Anderson and T. Moore. The economics of information security. Science, 314(5799):610, R. Böhme and G. Schwartz. Modeling cyber-insurance: Towards a unifying framework. In Workshop on the Economics of Information Security, Harvard University, Cambridge (June 2010). 5. T. Bu and D. Towsley. On distinguishing between internet power law topology generators. In INFOCOM, pages IEEE, D. Easley and J. Kleinberg. Networks, crowds, and markets: Reasoning about a highly connected world. Cambridge Univ Pr, 2010.

12 12 Z. Yang, J. C.S. Lui 7. I. Ehrlich and G. Becker. Market insurance, self-insurance, and self-protection. The Journal of Political Economy, 80(4): , M. Faloutsos, P. Faloutsos, and C. Faloutsos. On power-law relationships of the internet topology. In ACM SIGCOMM, pages , J. Grossklags, N. Christin, and J. Chuang. Secure or insecure? a game-theoretic analysis of information security games. In WWW G. Heal and H. Kunreuther. The vaccination game. Center for Risk Management and Decision Process Working Paper, B. Hillier. The economics of asymmetric information. Palgrave Macmillan, L. Jiang, V. Anantharam, and J. Walrand. Efficiency of selfish investments in network security. In Proc. of the 3rd international workshop on Economics of networked systems, pages ACM, J. Kesan, R. Majuca, and W. Yurcik. Cyberinsurance as a market-based solution to the problem of cybersecurity: a case study. In Proc. WEIS. Citeseer, H. Kunreuther and G. Heal. Interdependent security. Journal of Risk and Uncertainty, 26(2): , M. Lelarge and J. Bolot. A local mean field analysis of security investments in networks. In Proc. of the 3rd international workshop on Economics of networked systems, pages ACM, M. Lelarge and J. Bolot. Network externalities and the deployment of security features and protocols in the internet. In ACM SIGMETRICS, M. Lelarge, J. Bolot. Economic incentives to increase security in the internet: The case for insurance. In INFOCOM, pages , G. Medvinsky, C. Lai, and B. Neuman. Endorsements, licensing, and insurance for distributed system services. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages ACM, S. Melnik, A. Hackett, M. Porter, P. Mucha, and J. Gleeson. The unreasonable effectiveness of tree-based theory for networks with clustering. Physical Review E, 83(3):036112, R. Miura-Ko, B. Yolken, N. Bambos, and J. Mitchell. Security investment games of interdependent organizations. In Communication, Control, and Computing, th Annual Allerton Conference on, pages IEEE, D. Moore, C. Shannon, et al. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, pages ACM, M. Newman. Networks: an introduction. Oxford Univ Pr, N. Nisan. Algorithmic game theory. Cambridge Univ Pr, J. Omic, A. Orda, and P. Van Mieghem. Protecting against network infections: A game theoretic perspective. In INFOCOM 2009, IEEE. 25. S. Shavell. On moral hazard and insurance. The Quarterly Journal of Economics, 93(4):541, N. Shetty, G. Schwartz, M. Felegyhazi, and J. Walrand. Competitive cyberinsurance and internet security. Economics of Information Security and Privacy, pages , Z. Yang and J. Lui. Security adoption in heterogeneous networks: the influence of cyber-insurance market. http: // www. cse. cuhk. edu. hk/ %7ecslui/ TR1. pdf, Z. Yang and J. Lui. Investigating the effect of node heterogeneity and network externality on security adoption. In Thirteenth ACM Sigmetrics Workshop on MAthematical performance Modeling and Analysis (MAMA), Jun, 2011.